Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:16 AM
Connect Directly

Newly Discovered Evasion Method For Targeted Attacks Silently Bypasses Network, Application Security

IDS/IPS, firewalls, Web application firewalls are among at-risk devices for technique that lets attackers sneak inside

CERT-Finland has reported a newly discovered technique that evades network and security devices -- namely IDS/IPS systems, but it could also work against network firewalls and Web application firewalls -- and lets attackers sneak in and conduct targeted attacks against an enterprise network.

The threat, which was discovered by researchers at Stonesoft's Helsinki labs, is based on vulnerabilities inherent in several vendors' IDS/IPS products, according to CERT-Finland, which has alerted the affected IDS/IPS vendors. The names of the vendors and their products have not been released publicly.

Jussi Eronen, head of vulnerability coordination at CERT-FI, which first issued an alert on the threat on Oct. 4, will update its vulnerability alert on the threat today.

Stonesoft says the attack method takes advantage of how TCP/IP handles packets. "It takes advantage of the fact that the TCP protocol allows conservative creation of packets, but liberal receiving of packets," says Matt McKinley, director of U.S. product management at Stonesoft. "There are predictable, limited ways you can evade an IPS ... packets can only be created in a few ways. We came up with a way to create packets that don't conform to rules and confuse IPSes in ways that conventional methods cannot do."

McKinley says it lets the attacker work his way inside the network without being noticed. "It's a way to knock at the door until something lets you in because there's no way to detect it. It continues to knock until something lets it in," he says. "When the packet then makes it to the host, the host is designed to look only at the things it's interested in and ignore all else ... it's end to end delivery [of a malicious payload]."

McKinley says the attack could also work against other network security devices, including firewalls. It would likely be used to spread a network worm akin to the Stuxnet attack or some other targeted attack, he says. "It's a way to deliver [a worm] into a network and cause any kind of harm you want," McKinley says.

How difficult would it be to pull off this attack? "That's the creepy part. The impact of this is fairly simple. We feel it's well within the means of motivated hackers to do it. This is not particularly complicated," McKinley says.

ICSA Labs has verified the attack and is also sounding the alarm about the risk to enterprises. Jack Walsh, intrusion detection and prevention program manager at ICSA Labs, says it could take some time for network security vendors to add protection for this attack to their products, thus leaving enterprises at risk until those patches become available. IDS/IPSes, firewalls, next-generation firewalls, and Web application firewalls are most at risk of this evasion technique, he says.

Walsh says the evasion technique itself basically gives attackers a foot in the door to do their dirty work, and it can affect more than just TCP/IP protocols. "It's only after the evasion is coupled with an attack that they exploit some vulnerability," Walsh says. "The weakness that the evasions take advantage of are in the protocols, but the affected protocols aren't limited to TCP/IP. Some evasions affect higher layer application protocols as well."

And protocols aren't the only thing vulnerable to this evasion technique, he says. "The standards defining the protocols suggest a certain amount of permissiveness between sending and receiving systems to ease interoperability and communication. Our need for systems to be interoperable and our need for communication between systems to be as easy as possible allow these evasions to work," Walsh says.

Once inside, attackers can compromise data and steal information from enterprises, he says. And it's even possible they have been using this method already, unbeknown to victim organizations. "Given that these evasions have always existed, criminals could be using them already. If they are in use, then there would be little evidence of it," Walsh says.

Some vendors might need to rearchitect their products to fix this, while others might have to patch or build in protections, Walsh says.

Meanwhile, CERT-Finland's Eronen wouldn't provide details of the products known to be affected thus far or their weaknesses that allow for the attack since coordination among the vendors is still under way.

"If [targeted] networks have systems that are for some reason left unpatched -- legacy systems, no supported patches available, compliance does not allow for any system modification, just to name a few possible reasons -- and IDS/IPS systems are employed as virtual patches, then these systems are particularly vulnerable to attacks using evasion techniques," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.